Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automating Critical Security Controls for Threat Remediation and Compliance


Published on

Trends like the increased use of cloud computing by businesses and their vendors introduce new complexities in reducing risk and assessing security across the supply chain. Demonstrating continuous risk reduction and compliance with internal policies and external regulations, fixing violations and configuration drift, centrally managing exceptions, and documenting progress are all common challenges.

The Center for Internet Security’s (CIS) Critical Security Controls (CSCs) were selected and prioritized by leading security experts to stop today’s most common and serious cyber threats. By implementing these controls, organizations can improve their security posture and reduce the risk of threats to critical assets, data, and network infrastructure.

In this webcast SANS Senior Analyst John Pescatore and Tim White, Director of Product Management for Qualys Policy Compliance (PC), discuss how you can achieve continuous security and compliance, and leverage Qualys solutions to address all 20 CSCs.

The presentation encompasses:
• An overview of the CIS Critical Security Controls, including ongoing updates
• Success patterns organizations have demonstrated for using the controls to their advantage
• How an automation can reduce the staffing load to determine whether controls are in place and effective
• How to prioritize remediation efforts
• Real-world examples of recent attacks that leveraged misconfigured systems

Watch the on-demand webcast:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Automating Critical Security Controls for Threat Remediation and Compliance

  1. 1. Center for Internet Security Top 20 Critical Security Controls Best Practices for Automating the Top 20 Controls with Qualys Security Apps Tim White Director of Product Management, Qualys, Inc. John Pescatore SANS Senior Analyst
  2. 2. Cybersecurity Key Trends • High visibility security incidents have greatly increased Board of Directors’ interest in cybersecurity • That is not always a good thing… • Business damage not just from breaches • 80%+ of incidents are traced to lack of basic security hygiene • Another way to look at it: Enterprises with mature inventory, visibility, confirmation management and privilege management processes rarely make the news. Source: PaloAlto Networks
  3. 3. Not Just Breaches - Ransomware Source: Kaspersky
  4. 4. Cost of Downtime • Hard costs of downtime range from $100/min to $6,000+/min • Average outages range from 2.3 hours to 8+ - with multi- day outages frequent • FedEx and Maersk claim $300M cost! Source: AppDynamics
  5. 5. Cybercrime Growth • Cybercrime impact is growing faster than most other forms of crime and fraud: • Identity theft for new account fraud • “Ransomware” – hold information hostage • Denial of service – hold Internet connection hostage • Industrial espionage • The vast majority of asset misappropriation (insider threats) are enabled by IT vulnerabilities. • Cybercrime attack techniques are often adopted by nation states.
  6. 6. Why Do Some Do Better Than Others? • 980 breaches in 2016 • What did the other 9,020 of the F10000 do differently? • (781 in 2015) • On average, 36K records exposed per breach • What did those who limited breach size do differently? • (Average = 215K in 2015) • Almost invariably, the organizations with the least cyber incident impact have the strongest CISOs and security teams. Source: Identity Theft Resource Center
  7. 7. Defining a Strong Security Team/Program • Mature = Effective and efficient • Key indicators: • Basic security hygiene • Security Operations Center processes and tools • “Business Security Analysts” • Integration into procurement, M&A, supply chain decisions • Cross-industry participation
  8. 8. Cybersecurity Frameworks Center for Internet Security Critical Security Controls
  9. 9. Basic Security Hygiene ROI Example
  10. 10. WannaCry • On Friday May 12th 2017, several organizations were affected by a new Ransomware strain. • Attacks were very successful in part because it used a SMB vulnerability to spread inside networks – despite rumors, it was not phishing-driven. • The vulnerability was patched by Microsoft in March for supported versions of Windows. • The exploit, known under the name ETERNALBLUE, was released in April as part of a leak of NSA tools. • Variants were quickly seen spreading.
  11. 11. Petya/NotPetya • Petya was ransomware with weak encryption that hit in March 2016, mostly delivered via emailed Dropbox links • On 27 June 2017, European power companies, banks and airports began being hit by wipe/ransomware that seemed related to Petya but wasn’t • Later reports indicated a compromised Ukrainian tax software package (MEDoc) update was the major infection vector. • EternalBlue/Mimikatz/WMI/PsExec usage
  12. 12. Locky/Dropbox Source: SANS Internet Storm Center
  13. 13. Lessons Learned – Top Level • Phishing dominates, but not 100% • Basic security hygiene still matters: • Patching/Vulnerability Management (Critical Security Control 1, 4) • Turnoff unneeded services/block at boundary (CSC 9, 12) • Network segmentation (CSC 4, 12) • Backup (CSC 10) • AppSec (CSC 18) • Special Issues • Detecting and monitoring accepted use of outdated operating systems – legacy apps, appliances, embedded systems • Excrement hits the ventilator differently for ransomware vs. breach or DDoS • Tabletop exercises to walk through detect/react/contain/restore
  14. 14. Implementing Critical Security Controls with Qualys Cloud Apps
  15. 15. Basic Security Hygiene 1. Know what you have (Inventory) 2. Limit what you don’t NEED (EOL, Services, Networks, Rights) 3. Update Your Software 4. Secure Default Configurations 5. Employ Process Controls (DR/Backup, Email, Vendors) 6. Secure Web Apps
  16. 16. 1. Inventory Your Systems 2. Inventory and Restrict Software 3. Secure Configurations 4. Continuous Vulnerability Management 5. Review Rights & Permissions
  17. 17. Configuration Assessment Challenges Automation and best practices are key to locking down IT systems globally and consistently! • Hundreds of security settings • Complex & Dynamic IT Environments • Spot-checking doesn’t scale • Gold images suffer from configuration drift • Assessing devices in compliance scope is insufficient
  18. 18. Petya leverages weak user rights configuration to spread to other systems Adding Domain Admins or Authenticated Users to local Administrators Groups UAC Control Validation Recent attacks leveraging misconfiguration: Petya
  19. 19. Benefits of Automated Assessment
  20. 20. Prioritize and Remediate • Categorize Your Controls • Identify Critical Applications and Systems • Establish Initial Baseline and Remediation Plan • Handle Exceptions • Execute – but be realistic • Your work is never done!
  21. 21. 15 of the Top Controls have Configuration Assessment Components!
  22. 22. Assess and Secure Your Web Applications Simplify application security with a rational process New Application Known Application Secured Application Identify Vulnerabilities Security Policy? Virtual-Patch Templates and Custom Rules WAF Auto-Updates
  23. 23. Thank You Tim White